Fail2ban cannot be used in this case, because it will only block attacks on the system be incoming mail. But here the issue is that outgoing mail is sent from the system.
The first step to identify the source of the issue is to turn on "outgoing mail control" on and set it to a low value, e.g. 30 mails/hour server-wide.
Tools & Settings > Mail Server Settings > Switch on limitations on outgoing email messages > Default limit on outgoing messages from a subscription (per hour): "30".
Then wait until the outgoing mail statistics are updated. You can then directly see which domains are sending the mail. Disable the domains.
Then examine in /var/log/maillog whether the spam was sent via SMTP login in a mailbox or if it is sent through a website script. When it is sent by a mailbox login, you will find plenty of
... postfix/pickup[<number>]: ...
lines for the according domains or mailbox in the log. If you cannot see the pickup in the maillog, the spam is sent by a website script that is running on localhost. As you have already turned the domain of, you will not see that "live".
Normally, when spam is sent by SMTP login, you must first remove the viruses and trojans from all systems that could have access to the mailbox. Else a password change won't help, because keyloggers will immediately transmit the new password to the hacker or the virus will use an updated mail client profile to continue sending spam.
If the spam is sent by a website script, this is normally done by encrypted .php scripts. You can run a command like
egrep -r -i --include=\*.php '64_decode|edoced_46' --exclude-dir={system,logs,bin,dev,etc,lib,lib64,sbin,usr,var,tmp} /var/www/vhosts/<DOMAIN>/httpdocs
to get a list of all base64 encoded script lines. Some will be o.k. (the short ones), but all longer lines that are running over several lines on your screen and are encrypted, are very likely malware. Now that you have identified the malicious scripts, delete them. Normally such scripts are installed by a backdoor in either poorly made software plugins or malicious software plugins or modules (e.g. for Wordpress or Joomla).
The third but rare possibility is that neither the standard SMTP service sends spam by a login, nor a website is submitting spam to the service, but a stand-alone SMTP server (normally "Exim") was launched by an executable /tmp directory. It can easily be found by
# ps -aux | grep exim